BETA


Events

2024/11/20
   Final act published in Official Journal
Details

PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.

LEGISLATIVE ACT: Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

CONTENT: the regulation establishes:

- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;

- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;

- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;

- rules on market surveillance and enforcement of the above-mentioned rules and requirements.

Scope

The regulation will apply to all products that are connected either directly or indirectly to another device or to a network . Consumer products with digital elements categorised as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure.

This includes, in particular: (i) identity management systems and privileged access management software and hardware, including authentication and access control readers and biometric readers; (ii) password managers; (iii) software that searches for, removes or quarantines malicious software; (iv) products with digital elements with virtual private network (VPN) functions; (v) routers, modems for connecting to the internet; (vi) smart home general purpose virtual assistants; (vii) smart home products with security features, including smart door locks, security cameras, baby monitors and alarm systems; (viii) connected toys; or (ix) personal wearable products. Exceptions are provided for products for which cybersecurity requirements are already set out in existing EU rules, such as medical devices, aeronautical products and cars.

Stakeholder consultation

When preparing measures for the implementation of this regulation, the Commission will consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.

Essential requirements

Manufacturers will ensure that all products with digital elements are designed and developed in accordance with the essential cybersecurity requirements set out in the Regulation. They will also carry out a cybersecurity risk assessment of a product with digital elements and take the results of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements, with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including on the health and safety of users.

The cybersecurity risk assessment will be documented and updated during a support period . When placing a product with digital elements on the market, the manufacturer will ensure that vulnerabilities in that product are managed effectively and in accordance with the essential requirements. When identifying a vulnerability in a component, including an open-source software component, that is integrated into the product with digital elements, the manufacturer will report the vulnerability to the person or entity that maintains the component, and address and remediate the vulnerability.

Manufacturers will: (i) systematically document, in a manner that is proportionate to the nature and the cybersecurity risks; (ii) ensure that each security update, which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period; (iii) set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element; (iv) ensure that products with digital elements are accompanied by the information and instructions for the user.

Reporting obligations of manufacturers

A manufacturer will notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA.

The manufacturer will also submit: (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. To simplify the reporting obligations of manufacturers, a single reporting platform will be established by ENISA.

For example, software and hardware products will bear the CE marking to indicate that they comply with the regulation's requirements. The CE marking must be affixed in a visible, legible and indelible manner to the product containing digital elements.

The new law will allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features.

ENTRY INTO FORCE: 10.12.2024.

APPLICATION: from 11.12.2027.

Final act

2024/10/23
   Council of the EU - Draft final act
Documents
2024/10/23
   CSL - Final act signed
2024/10/10
   EP/CSL - Act adopted by Council after Parliament's 1st reading
2024/07/22
   European Commission - Commission response to text adopted in plenary
Documents
2024/03/12
   EP - Decision by Parliament, 1st reading
Details

The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.

This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.

The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:

Important products with digital elements (Annex III)

Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.

The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.

Critical products with digital elements (Annex IV)

The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.

The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.

Stakeholder consultation

When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.

In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.

Obligations of manufacturers

Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .

From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.

Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.

Manufacturers should:

- determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;

- ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;

- set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.

Reporting obligations of manufacturers

A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:

(i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.

Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.

Text adopted by Parliament, 1st reading/single reading

Documents
2024/03/12
   EP - Results of vote in Parliament
2024/03/11
   EP - Debate in Parliament
Documents
2024/01/23
   EP - Approval in committee of the text agreed at 1st reading interinstitutional negotiations
2023/12/20
   European Parliament - Text agreed during interinstitutional negotiations
Documents
2023/12/20
   Council of the EU - Coreper letter confirming interinstitutional agreement
2023/09/13
   EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
2023/09/11
   EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
2023/07/27
   EP - Committee report tabled for plenary, 1st reading
Details

The Committee on Industry, Research and Energy adopted the report by Nicola DANTI (Renew, IT) on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

Security updates

The amended text stated that manufacturers should ensure, where technically feasible, that products with digital elements clearly differentiate between security and functionality updates. Security updates, designed to decrease the level of risk or to remedy potential vulnerabilities, should be installed automatically , in particular in the case of consumer products.

Enhancing skills in a cyber resilient digital environment

Members stressed the importance of professional skills in the cybersecurity field, proposing education and training programmes, collaboration initiatives, and strategies for enhancing workforce mobility.

Point of single contact for users

In order to facilitate reporting on the security of products , manufacturers should designate a point of single contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing users of the product to choose the means of communication, which should not solely rely on automated tools.

Manufacturers should make public the information necessary for the end users to easily identify and communicate with their points of single contact.

Guidelines

The amended text included provisions for the Commission to issue guidelines to create clarity, certainty for, and consistency among the practices of economic operators. The Commission should focus on how to facilitate compliance by microenterprises, small enterprises and medium-sized enterprises.

Conformity assessment procedures for products with digital elements

Harmonised standards, common specifications or European cybersecurity certification schemes should be in place for six months before the conformity assessment procedure applies.

Mutual recognition agreements (MRAs)

To promote international trade, the Commission should endeavour to conclude Mutual Recognition Agreements (MRAs) with third countries. The Union should establish MRAs only with third countries that are on a comparable level of technical development and have a

compatible approach concerning conformity assessment. The MRAs should ensure the same level of protection as that provided for by this Regulation.

Procedure at EU level concerning products with digital elements presenting a significant cybersecurity risk

Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, Members considered that it should inform the relevant market surveillance authorities and issue targeted recommendations to economic operators aimed at ensuring that appropriate corrective actions are put in place.

Revenues generated from penalties

The revenues generated from the payments of penalties should be used to strengthen the level of cybersecurity within the Union, including by developing capacity and skills related to cybersecurity, improving economic operators' cyber resilience, in particular of microenterprises and of small and medium-sized enterprises and more in general fostering public awareness of cyber security issues.

Evaluation and review

Every year when presenting the Draft Budget for the following year, the Commission should submit a detailed assessment of ENISA's tasks under this Regulation as set out in Annex VIa and other relevant Union law and shall detail the financial and human resources needed to fulfil those tasks.

Committee report tabled for plenary, 1st reading/single reading

Documents
2023/07/19
   EP - Vote in committee, 1st reading
2023/07/19
   EP - Committee decision to open interinstitutional negotiations with report adopted in committee
2023/06/30
   European Parliament - Committee opinion
Documents
2023/05/23
   NL_SENATE - Contribution
Documents
2023/05/03
   European Parliament - Amendments tabled in committee
Documents
2023/05/03
   European Parliament - Amendments tabled in committee
Documents
2023/04/28
   European Parliament - Amendments tabled in committee
Documents
2023/04/20
   EP - Referral to associated committees announced in Parliament
2023/03/31
   European Parliament - Committee draft report
Documents
2022/12/21
   PT_PARLIAMENT - Contribution
Documents
2022/12/19
   BG_PARLIAMENT - Contribution
Documents
2022/12/14
   Economic and Social Committee: opinion, report - ESC
Documents
2022/11/14
   CZ_CHAMBER - Contribution
Documents
2022/11/09
   Document attached to the procedure - EDPS
2022/11/09
   EP - Committee referral announced in Parliament, 1st reading
2022/10/26
   EP - DANTI Nicola (Renew) appointed as rapporteur in ITRE
2022/09/15
   European Commission - Document attached to the procedure
2022/09/15
   European Commission - Document attached to the procedure
2022/09/15
   European Commission - Legislative proposal
Details

PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.

While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.

CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.

Subject matter

Based on the new legislative framework for product legislation in the EU, the proposal establishes:

- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;

- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;

- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;

- rules on market surveillance and enforcement of the above-mentioned rules and requirements.

Scope

The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .

Objectives

It has two main objectives aiming to ensure the proper functioning of the internal market:

- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;

- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Obligations for manufacturers, importers and distributors

Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.

The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.

The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.

Notification of conformity assessment bodies

Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.

Conformity assessment process

Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.

Market surveillance

Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.

In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.

Application

To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.

Legislative proposal

2022/09/15
   European Commission - Document attached to the procedure
Documents
2022/09/15
   EC - Legislative proposal published
Details

PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.

While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.

CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.

Subject matter

Based on the new legislative framework for product legislation in the EU, the proposal establishes:

- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;

- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;

- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;

- rules on market surveillance and enforcement of the above-mentioned rules and requirements.

Scope

The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .

Objectives

It has two main objectives aiming to ensure the proper functioning of the internal market:

- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;

- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Obligations for manufacturers, importers and distributors

Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.

The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.

The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.

Notification of conformity assessment bodies

Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.

Conformity assessment process

Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.

Market surveillance

Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.

In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.

Application

To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.

Legislative proposal

Documents

Votes

A9-0253/2023 – Nicola Danti – Provisional agreement – Am 2 #

2024/03/12 Outcome: +: 517, 0: 78, -: 12
DE FR IT PL ES NL RO SE HU BE BG CZ PT AT EL HR DK SK FI IE LT SI LV EE LU MT CY
Total
84
72
62
45
55
28
21
19
17
19
16
19
19
17
16
12
11
13
10
13
8
7
7
7
5
4
1
icon: PPE PPE
152

Hungary PPE

1

Denmark PPE

For (1)

1

Finland PPE

2

Slovenia PPE

3

Estonia PPE

For (1)

1

Luxembourg PPE

For (1)

1

Malta PPE

For (1)

1
icon: S&D S&D
127

Belgium S&D

2

Czechia S&D

For (1)

1

Greece S&D

1

Slovakia S&D

For (1)

1

Lithuania S&D

2

Slovenia S&D

2

Latvia S&D

2

Estonia S&D

2

Luxembourg S&D

For (1)

1

Cyprus S&D

1
icon: Renew Renew
87

Poland Renew

1
3

Hungary Renew

2

Belgium Renew

2

Austria Renew

For (1)

1

Greece Renew

1

Croatia Renew

For (1)

1

Finland Renew

2

Ireland Renew

2

Lithuania Renew

1

Slovenia Renew

2

Latvia Renew

For (1)

1

Estonia Renew

3

Luxembourg Renew

2
icon: Verts/ALE Verts/ALE
65

Italy Verts/ALE

3

Poland Verts/ALE

For (1)

1

Spain Verts/ALE

3

Netherlands Verts/ALE

3

Sweden Verts/ALE

2

Belgium Verts/ALE

3

Czechia Verts/ALE

3

Portugal Verts/ALE

1

Austria Verts/ALE

2

Greece Verts/ALE

For (1)

1

Denmark Verts/ALE

For (1)

1

Finland Verts/ALE

2

Ireland Verts/ALE

2

Lithuania Verts/ALE

2

Luxembourg Verts/ALE

For (1)

1
icon: ECR ECR
62

Germany ECR

1

France ECR

Abstain (1)

1

Netherlands ECR

Against (1)

Abstain (2)

5

Romania ECR

Abstain (1)

1

Bulgaria ECR

2

Greece ECR

1

Croatia ECR

1

Slovakia ECR

Abstain (1)

1
icon: NI NI
36

Germany NI

For (1)

Abstain (1)

2

France NI

1

Netherlands NI

Against (1)

1

Romania NI

For (1)

1

Belgium NI

For (1)

1

Czechia NI

For (1)

1

Croatia NI

Abstain (1)

2

Slovakia NI

Abstain (1)

3

Latvia NI

Abstain (1)

1
icon: The Left The Left
32

Netherlands The Left

For (1)

1

Sweden The Left

For (1)

1

Belgium The Left

Abstain (1)

1

Czechia The Left

Abstain (1)

1

Denmark The Left

1

Ireland The Left

For (1)

4
icon: ID ID
46

Belgium ID

For (1)

3

Czechia ID

Against (1)

1

Austria ID

3

Denmark ID

For (1)

1

Estonia ID

Abstain (1)

1
AmendmentsDossier
714 2022/0272(COD)
2023/04/28 IMCO 291 amendments...
source: 746.662
2023/05/04 ITRE 423 amendments...
source: 746.920

History

(these mark the time of scraping, not the official date of the change)

committees/0
type
Responsible Committee
body
EP
associated
False
committee_full
Industry, Research and Energy
committee
ITRE
rapporteur
name: DANTI Nicola date: 2022-10-26T00:00:00 group: RE abbr: Renew
shadows
committees/0
type
Responsible Committee
body
EP
committee_full
Industry, Research and Energy
committee
ITRE
associated
False
rapporteur
name: DANTI Nicola date: 2022-10-26T00:00:00 group: Renew Europe group abbr: Renew
shadows
committees/1
type
Committee Opinion
body
EP
associated
True
committee_full
Internal Market and Consumer Protection
committee
IMCO
committees/1
type
Committee Opinion
body
EP
committee_full
Internal Market and Consumer Protection
committee
IMCO
associated
False
rapporteur
name: LØKKEGAARD Morten date: 2022-12-16T00:00:00 group: Renew Europe group abbr: Renew
committees/2/associated
Old
 
New
True
docs/0
date
2023-03-31T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-PR-745538_EN.html title: PE745.538
type
Committee draft report
body
EP
docs/0
date
2022-09-15T00:00:00
docs
type
Document attached to the procedure
body
EC
docs/0/body
Old
EP
New
European Parliament
docs/1
date
2022-09-15T00:00:00
docs
title: SWD(2022)0282
type
Document attached to the procedure
body
EC
docs/1
date
2023-04-28T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/IMCO-AM-746662_EN.html title: PE746.662
type
Amendments tabled in committee
body
European Parliament
docs/2
date
2023-05-03T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-AM-746921_EN.html title: PE746.921
type
Amendments tabled in committee
body
EP
docs/2
date
2022-09-15T00:00:00
docs
type
Document attached to the procedure
body
EC
docs/2/body
Old
EP
New
European Parliament
docs/3
date
2023-05-03T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-AM-746920_EN.html title: PE746.920
type
Amendments tabled in committee
body
EP
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/3/body
Old
EP
New
European Parliament
docs/4
date
2023-06-30T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/IMCO-AD-742490_EN.html title: PE742.490
committee
IMCO
type
Committee opinion
body
EP
docs/4
date
2022-12-14T00:00:00
docs
url: https://dmsearch.eesc.europa.eu/search/public?k=(documenttype:AC)(documentnumber:4103)(documentyear:2022)(documentlanguage:EN) title: CES4103/2022
type
Economic and Social Committee: opinion, report
body
ESC
docs/4/body
Old
EP
New
European Parliament
docs/5
date
2023-03-31T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-PR-745538_EN.html title: PE745.538
type
Committee draft report
body
EP
docs/5
date
2023-12-20T00:00:00
docs
url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2023/12-20/ITRE_AG(2023)758004_EN.docx title: PE758.004
type
Text agreed during interinstitutional negotiations
body
EP
docs/5/body
Old
EP
New
European Parliament
docs/6
date
2023-05-03T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-AM-746920_EN.html title: PE746.920
type
Amendments tabled in committee
body
EP
docs/6
date
2023-12-20T00:00:00
docs
title: GEDA/A/(2024)000218
type
Coreper letter confirming interinstitutional agreement
body
CSL
docs/6/body
Old
CSL
New
Council of the EU
docs/7
date
2023-05-03T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-AM-746921_EN.html title: PE746.921
type
Amendments tabled in committee
body
EP
docs/7
date
2024-10-23T00:00:00
docs
title: 00100/2024/LEX
type
Draft final act
body
CSL
docs/7/body
Old
CSL
New
Council of the EU
docs/8
date
2023-06-30T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/IMCO-AD-742490_EN.html title: PE742.490
committee
IMCO
type
Committee opinion
body
EP
docs/8
date
2022-09-15T00:00:00
docs
type
Document attached to the procedure
body
European Commission
docs/9
date
2023-12-20T00:00:00
docs
title: GEDA/A/(2024)000218
type
Coreper letter confirming interinstitutional agreement
body
CSL
docs/9
date
2022-09-15T00:00:00
docs
type
Document attached to the procedure
body
European Commission
docs/10
date
2023-12-20T00:00:00
docs
url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2023/12-20/ITRE_AG(2023)758004_EN.docx title: PE758.004
type
Text agreed during interinstitutional negotiations
body
EP
docs/10
date
2022-09-15T00:00:00
docs
summary
type
Legislative proposal
body
European Commission
docs/11
date
2022-09-15T00:00:00
docs
title: SWD(2022)0282
type
Document attached to the procedure
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11/body
Old
EC
New
European Commission
docs/12
date
2024-07-22T00:00:00
docs
url: https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2024/LEX
type
Draft final act
body
CSL
docs/12/body
Old
EC
New
European Commission
docs/13
Old
date
2023-05-23T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
NL_SENATE
New
date
2022-11-14T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
CZ_CHAMBER
docs/14
Old
date
2022-12-21T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
PT_PARLIAMENT
New
date
2022-12-19T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
BG_PARLIAMENT
docs/15
Old
date
2022-11-14T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
CZ_CHAMBER
New
date
2022-12-21T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
PT_PARLIAMENT
docs/16
Old
date
2022-12-19T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
BG_PARLIAMENT
New
date
2023-05-23T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
NL_SENATE
docs/17
date
2022-11-09T00:00:00
docs
type
EDPS
body
Document attached to the procedure
docs/18
date
2022-12-14T00:00:00
docs
url: https://dmsearch.eesc.europa.eu/search/public?k=(documenttype:AC)(documentnumber:4103)(documentyear:2022)(documentlanguage:EN) title: CES4103/2022
type
ESC
body
Economic and Social Committee: opinion, report
events/0
date
2022-09-15T00:00:00
type
Legislative proposal published
body
EC
docs
summary
events/0
date
2022-09-15T00:00:00
type
Legislative proposal published
body
EC
docs
summary
events/5/summary/22
Committee report tabled for plenary, 1st reading/single reading
events/8/docs/1
title
GEDA/A/(2024)000218
events/9/docs/0/title
Old
Debate in Parliament
New
Go to the page
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Decision by Parliament, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
summary
events/10/summary/24
Text adopted by Parliament, 1st reading/single reading
events/11
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/11
date
2024-03-12T00:00:00
type
Decision by Parliament, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
summary
events/11/docs/0/url
Old
https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en
New
https://oeil.secure.europarl.europa.eu/oeil/en/sda-vote-result?sdaId=60344
events/14
date
2024-11-20T00:00:00
type
Final act published in Official Journal
summary
docs
procedure/Legislative priorities/0
title
Joint Declaration 2023-24
url
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41380&l=en
procedure/Legislative priorities/0
title
Joint Declaration 2022
url
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41360&l=en
procedure/Legislative priorities/0/url
Old
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41360&l=en
New
https://oeil.secure.europarl.europa.eu/legislative-priorities/thematic-note?id=41360
procedure/Legislative priorities/1
title
Joint Declaration 2023-24
url
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41380&l=en
procedure/Legislative priorities/1
title
Joint Declaration 2022
url
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41360&l=en
procedure/Legislative priorities/1/url
Old
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41380&l=en
New
https://oeil.secure.europarl.europa.eu/legislative-priorities/thematic-note?id=41380
procedure/dossier_of_the_committee
Old
  • ITRE/9/10122
New
ITRE/9/10122
procedure/final
title
Regulation 2024/2847
url
https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32024R2847
procedure/instrument/1
Amending Regulation 2019/1020
procedure/instrument/1
Amending Regulation 2019/1020 2017/0353(COD)
procedure/instrument/2
2017/0353(COD)
procedure/stage_reached
Old
Procedure completed, awaiting publication in Official Journal
New
Procedure completed
docs/12/docs/0/title
Old
00100/2023/LEX
New
00100/2024/LEX
docs/12/docs/0/title
Old
00100/2024/LEX
New
00100/2023/LEX
docs/12/docs/0/title
Old
00100/2023/LEX
New
00100/2024/LEX
docs/12/docs/0/title
Old
00100/2024/LEX
New
00100/2023/LEX
docs/12/docs/0/title
Old
00100/2023/LEX
New
00100/2024/LEX
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2023/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
events/13
date
2024-10-23T00:00:00
type
Final act signed
body
CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Procedure completed, awaiting publication in Official Journal
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2024/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
events/13
date
2024-10-23T00:00:00
type
Final act signed
body
CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Procedure completed, awaiting publication in Official Journal
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2023/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
events/13
date
2024-10-23T00:00:00
type
Final act signed
body
CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Procedure completed, awaiting publication in Official Journal
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2023/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
events/13
date
2024-10-23T00:00:00
type
Final act signed
body
CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Procedure completed, awaiting publication in Official Journal
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2023/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
events/13
date
2024-10-23T00:00:00
type
Final act signed
body
CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Procedure completed, awaiting publication in Official Journal
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2023/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
events/13
date
2024-10-23T00:00:00
type
Final act signed
body
CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Procedure completed, awaiting publication in Official Journal
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2023/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2023/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2023/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2024/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2024/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
docs/12
date
2024-10-23T00:00:00
docs
title: 00100/2024/LEX
type
Draft final act
body
CSL
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
docs/11/docs/0/url
Old
/oeil/spdoc.do?i=60344&j=0&l=en
New
nulldistribution/doc/SP-2024-350-TA-9-2024-0130_en.docx
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
events/12
date
2024-10-10T00:00:00
type
Act adopted by Council after Parliament's 1st reading
body
EP/CSL
procedure/stage_reached
Old
Awaiting Council's 1st reading position
New
Awaiting signature of act
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
docs/11
date
2024-07-22T00:00:00
docs
url: /oeil/spdoc.do?i=60344&j=0&l=en title: SP(2024)350
type
Commission response to text adopted in plenary
body
EC
procedure/Other legal basis
Old
Rules of Procedure EP 159
New
Rules of Procedure EP 165
procedure/legal_basis/0
Rules of Procedure EP 57_o
procedure/legal_basis/0
Rules of Procedure EP 57
procedure/Other legal basis
Old
Rules of Procedure EP 159
New
Rules of Procedure EP 165
procedure/legal_basis/0
Rules of Procedure EP 57_o
procedure/legal_basis/0
Rules of Procedure EP 57
procedure/Other legal basis
Old
Rules of Procedure EP 159
New
Rules of Procedure EP 165
procedure/legal_basis/0
Rules of Procedure EP 57_o
procedure/legal_basis/0
Rules of Procedure EP 57
procedure/Other legal basis
Old
Rules of Procedure EP 159
New
Rules of Procedure EP 165
procedure/legal_basis/0
Rules of Procedure EP 57_o
procedure/legal_basis/0
Rules of Procedure EP 57
procedure/Other legal basis
Old
Rules of Procedure EP 159
New
Rules of Procedure EP 165
procedure/legal_basis/0
Rules of Procedure EP 57_o
procedure/legal_basis/0
Rules of Procedure EP 57
procedure/Other legal basis
Old
Rules of Procedure EP 159
New
Rules of Procedure EP 165
procedure/legal_basis/0
Rules of Procedure EP 57_o
procedure/legal_basis/0
Rules of Procedure EP 57
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
events/10
date
2024-03-12T00:00:00
type
Results of vote in Parliament
body
EP
docs
url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=en title: Results of vote in Parliament
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/10/summary
  • The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
  • The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
  • Important products with digital elements (Annex III)
  • Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
  • The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
  • Critical products with digital elements (Annex IV)
  • The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
  • The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
  • Stakeholder consultation
  • When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
  • In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
  • Obligations of manufacturers
  • Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
  • From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
  • Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
  • Manufacturers should:
  • - determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
  • - ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
  • - set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
  • Reporting obligations of manufacturers
  • A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
  • (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
  • Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
docs/11
date
2024-03-12T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
type
Text adopted by Parliament, 1st reading/single reading
body
EP
events/9
date
2024-03-11T00:00:00
type
Debate in Parliament
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/CRE-9-2024-03-11-TOC_EN.html title: Debate in Parliament
events/10
date
2024-03-12T00:00:00
type
Decision by Parliament, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html title: T9-0130/2024
forecasts
  • date: 2024-03-11T00:00:00 title: Indicative plenary sitting date
procedure/stage_reached
Old
Awaiting Parliament's position in 1st reading
New
Awaiting Council's 1st reading position
events/9
date
2024-03-11T00:00:00
type
Debate in Parliament
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/CRE-9-2024-03-11-TOC_EN.html title: Debate in Parliament
forecasts
  • date: 2024-03-11T00:00:00 title: Indicative plenary sitting date
events/9
date
2024-03-11T00:00:00
type
Debate in Parliament
body
EP
forecasts/0
date
2024-03-12T00:00:00
title
Vote scheduled
forecasts/0
date
2024-03-11T00:00:00
title
Indicative plenary sitting date
forecasts/0/title
Old
Indicative plenary sitting date
New
Debate scheduled
forecasts/1
date
2024-03-12T00:00:00
title
Vote in plenary scheduled
forecasts/0/title
Old
Indicative plenary sitting date
New
Debate in plenary scheduled
forecasts/1
date
2024-03-12T00:00:00
title
Vote in plenary scheduled
forecasts/0/title
Old
Indicative plenary sitting date
New
Debate in plenary scheduled
forecasts/1
date
2024-03-12T00:00:00
title
Vote in plenary scheduled
forecasts/0/title
Old
Indicative plenary sitting date
New
Debate in plenary scheduled
forecasts/1
date
2024-03-12T00:00:00
title
Vote in plenary scheduled
forecasts/0/title
Old
Indicative plenary sitting date
New
Debate in plenary scheduled
forecasts/1
date
2024-03-12T00:00:00
title
Vote in plenary scheduled
docs/10
date
2023-12-20T00:00:00
docs
url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2023/12-20/ITRE_AG(2023)758004_EN.docx title: PE758.004
type
Text agreed during interinstitutional negotiations
body
EP
events/8/docs
  • url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2023/12-20/ITRE_AG(2023)758004_EN.docx title: PE758.004
forecasts/0/date
Old
2024-04-10T00:00:00
New
2024-03-11T00:00:00
forecasts/0/date
Old
2024-03-11T00:00:00
New
2024-04-10T00:00:00
forecasts/0/date
Old
2024-04-10T00:00:00
New
2024-03-11T00:00:00
events/8
date
2024-01-23T00:00:00
type
Approval in committee of the text agreed at 1st reading interinstitutional negotiations
body
EP
docs/9
date
2023-12-20T00:00:00
docs
title: GEDA/A/(2024)000218
type
Coreper letter confirming interinstitutional agreement
body
CSL
forecasts/0/date
Old
2024-03-11T00:00:00
New
2024-04-10T00:00:00
forecasts
  • date: 2024-03-11T00:00:00 title: Indicative plenary sitting date
docs/3/docs/0/url
Old
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2022:452:TOC
New
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC
docs/9/date
Old
2023-05-22T00:00:00
New
2023-05-23T00:00:00
docs/10/date
Old
2022-12-20T00:00:00
New
2022-12-21T00:00:00
docs/11/date
Old
2022-11-13T00:00:00
New
2022-11-14T00:00:00
docs/12/date
Old
2022-12-18T00:00:00
New
2022-12-19T00:00:00
events/7
date
2023-09-13T00:00:00
type
Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
body
EP
events/6
date
2023-09-11T00:00:00
type
Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
body
EP
docs/10
date
2022-12-20T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
PT_PARLIAMENT
docs/9
date
2023-07-27T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/A-9-2023-0253_EN.html title: A9-0253/2023
type
Committee report tabled for plenary, 1st reading/single reading
body
EP
events/5/summary
  • The Committee on Industry, Research and Energy adopted the report by Nicola DANTI (Renew, IT) on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
  • The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
  • Security updates
  • The amended text stated that manufacturers should ensure, where technically feasible, that products with digital elements clearly differentiate between security and functionality updates. Security updates, designed to decrease the level of risk or to remedy potential vulnerabilities, should be installed automatically , in particular in the case of consumer products.
  • Enhancing skills in a cyber resilient digital environment
  • Members stressed the importance of professional skills in the cybersecurity field, proposing education and training programmes, collaboration initiatives, and strategies for enhancing workforce mobility.
  • Point of single contact for users
  • In order to facilitate reporting on the security of products , manufacturers should designate a point of single contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing users of the product to choose the means of communication, which should not solely rely on automated tools.
  • Manufacturers should make public the information necessary for the end users to easily identify and communicate with their points of single contact.
  • Guidelines
  • The amended text included provisions for the Commission to issue guidelines to create clarity, certainty for, and consistency among the practices of economic operators. The Commission should focus on how to facilitate compliance by microenterprises, small enterprises and medium-sized enterprises.
  • Conformity assessment procedures for products with digital elements
  • Harmonised standards, common specifications or European cybersecurity certification schemes should be in place for six months before the conformity assessment procedure applies.
  • Mutual recognition agreements (MRAs)
  • To promote international trade, the Commission should endeavour to conclude Mutual Recognition Agreements (MRAs) with third countries. The Union should establish MRAs only with third countries that are on a comparable level of technical development and have a
  • compatible approach concerning conformity assessment. The MRAs should ensure the same level of protection as that provided for by this Regulation.
  • Procedure at EU level concerning products with digital elements presenting a significant cybersecurity risk
  • Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, Members considered that it should inform the relevant market surveillance authorities and issue targeted recommendations to economic operators aimed at ensuring that appropriate corrective actions are put in place.
  • Revenues generated from penalties
  • The revenues generated from the payments of penalties should be used to strengthen the level of cybersecurity within the Union, including by developing capacity and skills related to cybersecurity, improving economic operators' cyber resilience, in particular of microenterprises and of small and medium-sized enterprises and more in general fostering public awareness of cyber security issues.
  • Evaluation and review
  • Every year when presenting the Draft Budget for the following year, the Commission should submit a detailed assessment of ENISA's tasks under this Regulation as set out in Annex VIa and other relevant Union law and shall detail the financial and human resources needed to fulfil those tasks.
docs/9
date
2023-07-27T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/A-9-2023-0253_EN.html title: A9-0253/2023
type
Committee report tabled for plenary, 1st reading/single reading
body
EP
events/5/docs
  • url: https://www.europarl.europa.eu/doceo/document/A-9-2023-0253_EN.html title: A9-0253/2023
events/5
date
2023-07-27T00:00:00
type
Committee report tabled for plenary, 1st reading
body
EP
procedure/stage_reached
Old
Awaiting committee decision
New
Awaiting Parliament's position in 1st reading
events/3
date
2023-07-19T00:00:00
type
Vote in committee, 1st reading
body
EP
events/4
date
2023-07-19T00:00:00
type
Committee decision to open interinstitutional negotiations with report adopted in committee
body
EP
procedure/Other legal basis
Rules of Procedure EP 159
docs/8
date
2023-06-30T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/IMCO-AD-742490_EN.html title: PE742.490
committee
IMCO
type
Committee opinion
body
EP
docs/8
date
2023-05-22T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
NL_SENATE
docs/7
date
2023-05-03T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-AM-746921_EN.html title: PE746.921
type
Amendments tabled in committee
body
EP
docs/6
date
2023-05-03T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-AM-746920_EN.html title: PE746.920
type
Amendments tabled in committee
body
EP
committees/2/opinion
False
events/2
date
2023-04-20T00:00:00
type
Referral to associated committees announced in Parliament
body
EP
procedure/legal_basis/0
Rules of Procedure EP 57
docs/5
date
2023-03-31T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/ITRE-PR-745538_EN.html title: PE745.538
type
Committee draft report
body
EP
procedure/Legislative priorities/0/title
Old
Joint Declaration on EU legislative priorities for 2023 and 2024
New
Joint Declaration 2023-24
procedure/Legislative priorities/0
title
Joint Declaration on EU legislative priorities for 2023 and 2024
url
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41380&l=en
committees/0/shadows/3
name
GAZZINI Matteo
group
Identity and Democracy
abbr
ID
docs/4
date
2022-12-14T00:00:00
docs
url: https://dmsearch.eesc.europa.eu/search/public?k=(documenttype:AC)(documentnumber:4103)(documentyear:2022)(documentlanguage:EN) title: CES4103/2022
type
Economic and Social Committee: opinion, report
body
ESC
committees/0/shadows/4
name
BOTENGA Marc
group
The Left group in the European Parliament - GUE/NGL
abbr
GUE/NGL
committees/1
Old
type
Committee Opinion
body
EP
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
associated
False
New
type
Committee Opinion
body
EP
committee_full
Internal Market and Consumer Protection
committee
IMCO
associated
False
rapporteur
name: LØKKEGAARD Morten date: 2022-12-16T00:00:00 group: Renew Europe group abbr: Renew
committees/2
Old
type
Committee Opinion
body
EP
committee_full
Internal Market and Consumer Protection
committee
IMCO
associated
False
rapporteur
name: LØKKEGAARD Morten date: 2022-12-16T00:00:00 group: Renew Europe group abbr: Renew
New
type
Committee Opinion
body
EP
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
associated
False
docs/4
date
2022-11-13T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
CZ_CHAMBER
docs/4
date
2022-12-18T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
BG_PARLIAMENT
docs/0
date
2022-09-15T00:00:00
docs
summary
type
Legislative proposal
body
EC
events/0
date
2022-09-15T00:00:00
type
Legislative proposal published
body
EC
docs
summary
committees/1/rapporteur
  • name: LØKKEGAARD Morten date: 2022-12-16T00:00:00 group: Renew Europe group abbr: Renew
docs/0
date
2022-09-15T00:00:00
docs
summary
type
Legislative proposal
body
EC
events/0
date
2022-09-15T00:00:00
type
Legislative proposal published
body
EC
docs
summary
committees/0
type
Responsible Committee
body
EP
committee_full
Industry, Research and Energy
committee
ITRE
associated
False
rapporteur
name: DANTI Nicola date: 2022-10-26T00:00:00 group: Renew Europe group abbr: Renew
shadows
committees/0
type
Responsible Committee
body
EP
committee_full
Industry, Research and Energy
committee
ITRE
associated
False
rapporteur
name: DANTI Nicola date: 2022-10-26T00:00:00 group: Renew Europe group abbr: Renew
shadows
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/3
date
2022-11-13T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
CZ_CHAMBER
docs/3
date
2022-11-13T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
CZ_CHAMBER
events/1
date
2022-11-09T00:00:00
type
Committee referral announced in Parliament, 1st reading
body
EP
procedure/dossier_of_the_committee
  • ITRE/9/10122
procedure/stage_reached
Old
Preparatory phase in Parliament
New
Awaiting committee decision
commission
  • body: EC dg: Communications Networks, Content and Technology commissioner: BRETON Thierry
committees/0/shadows/2
name
CORRAO Ignazio
group
Group of the Greens/European Free Alliance
abbr
Verts/ALE
procedure/Legislative priorities
  • title: Joint Declaration 2022 url: https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41360&l=en
procedure/title
Old
Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)
New
Cyber Resilience Act
committees/0/rapporteur
  • name: DANTI Nicola date: 2022-10-26T00:00:00 group: Renew Europe group abbr: Renew
committees/0/shadows/0
name
VIRKKUNEN Henna
group
Group of European People's Party
abbr
EPP
committees/0/shadows
  • name: KAILI Eva group: Group of Progressive Alliance of Socialists and Democrats abbr: S&D
  • name: TOŠENOVSKÝ Evžen group: European Conservatives and Reformists Group abbr: ECR
docs/0/docs/0
url
https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=SECfinal&an_doc=2022&nu_doc=0321
title
EUR-Lex
docs/0
date
2022-09-15T00:00:00
docs
type
Legislative proposal
body
EC
events/0/summary
  • PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.
  • PROPOSED ACT: Regulation of the European Parliament and of the Council.
  • ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
  • BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.
  • While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.
  • CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.
  • Subject matter
  • Based on the new legislative framework for product legislation in the EU, the proposal establishes:
  • - rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
  • - essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;
  • - essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;
  • - rules on market surveillance and enforcement of the above-mentioned rules and requirements.
  • Scope
  • The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .
  • Objectives
  • It has two main objectives aiming to ensure the proper functioning of the internal market:
  • - create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;
  • - create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
  • Obligations for manufacturers, importers and distributors
  • Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.
  • The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.
  • The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.
  • Notification of conformity assessment bodies
  • Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.
  • Conformity assessment process
  • Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.
  • Market surveillance
  • Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.
  • In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.
  • Application
  • To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.